commit 754663f8c497c43f169638c3903e37b323b7c98f
author Hanno Becker <hanno.becker@arm.com> Wed Oct 25 16:08:19 2017 +0100
committer Hanno Becker <hanno.becker@arm.com> Wed Oct 25 16:11:06 2017 +0100
tree 2ede571a98ef7b7ffebf519bdbbbe6e5df7a3db3
parent 0727ca41b7418378d6d063b8ade62b7437c98d0a

Fix information leak in ecp_gen_keypair_base

The function ecp_gen_keypair_base did not wipe the stack buffer used to
hold the private exponent before returning. This commit fixes this by not using
a stack buffer in the first place but instead calling mpi_fill_random directly
to acquire the necessary random MPI.

library/ecp.c

diff --git a/library/ecp.c b/library/ecp.c
index 79066dc..f39e7eb 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1854,7 +1854,6 @@
     {
         /* SEC1 3.2.1: Generate d such that 1 <= n < N */
         int count = 0;
-        unsigned char rnd[POLARSSL_ECP_MAX_BYTES];
 
         /*
          * Match the procedure given in RFC 6979 (deterministic ECDSA):
@@ -1865,8 +1864,7 @@
          */
         do
         {
-            MPI_CHK( f_rng( p_rng, rnd, n_size ) );
-            MPI_CHK( mpi_read_binary( d, rnd, n_size ) );
+            MPI_CHK( mpi_fill_random( d, n_size, f_rng, p_rng ) );
             MPI_CHK( mpi_shift_r( d, 8 * n_size - grp->nbits ) );
 
             /*